Linux 5.4.230

 
Linux: Add exception protection processing for vd in axi_chan_handle_err function [+ + +]
Author: Shawn.Shao <shawn.shao@jaguarmicro.com>
Date:   Thu Jan 12 13:58:02 2023 +0800

    Add exception protection processing for vd in axi_chan_handle_err function
    
    commit 57054fe516d59d03a7bcf1888e82479ccc244f87 upstream.
    
    Since there is no protection for vd, a kernel panic will be
    triggered here in exceptional cases.
    
    You can refer to the processing of axi_chan_block_xfer_complete function
    
    The triggered kernel panic is as follows:
    
    [   67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
    [   67.848447] Mem abort info:
    [   67.848449]   ESR = 0x96000004
    [   67.848451]   EC = 0x25: DABT (current EL), IL = 32 bits
    [   67.848454]   SET = 0, FnV = 0
    [   67.848456]   EA = 0, S1PTW = 0
    [   67.848458] Data abort info:
    [   67.848460]   ISV = 0, ISS = 0x00000004
    [   67.848462]   CM = 0, WnR = 0
    [   67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000
    [   67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000
    [   67.848472] Internal error: Oops: 96000004 [#1] SMP
    [   67.848475] Modules linked in: dmatest
    [   67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11
    [   67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)
    [   67.848487] pc : axi_chan_handle_err+0xc4/0x230
    [   67.848491] lr : axi_chan_handle_err+0x30/0x230
    [   67.848493] sp : ffff0803fe55ae50
    [   67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200
    [   67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080
    [   67.848504] x25: ffff800010d33880 x24: ffff80001139d850
    [   67.848508] x23: ffff0800c097c168 x22: 0000000000000000
    [   67.848512] x21: 0000000000000080 x20: 0000000000002000
    [   67.848517] x19: ffff0800c097c080 x18: 0000000000000000
    [   67.848521] x17: 0000000000000000 x16: 0000000000000000
    [   67.848525] x15: 0000000000000000 x14: 0000000000000000
    [   67.848529] x13: 0000000000000000 x12: 0000000000000040
    [   67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a
    [   67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270
    [   67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0
    [   67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480
    [   67.848550] x3 : dead000000000100 x2 : dead000000000122
    [   67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168
    [   67.848559] Call trace:
    [   67.848562]  axi_chan_handle_err+0xc4/0x230
    [   67.848566]  dw_axi_dma_interrupt+0xf4/0x590
    [   67.848569]  __handle_irq_event_percpu+0x60/0x220
    [   67.848573]  handle_irq_event+0x64/0x120
    [   67.848576]  handle_fasteoi_irq+0xc4/0x220
    [   67.848580]  __handle_domain_irq+0x80/0xe0
    [   67.848583]  gic_handle_irq+0xc0/0x138
    [   67.848585]  el1_irq+0xc8/0x180
    [   67.848588]  arch_cpu_idle+0x14/0x2c
    [   67.848591]  default_idle_call+0x40/0x16c
    [   67.848594]  do_idle+0x1f0/0x250
    [   67.848597]  cpu_startup_entry+0x2c/0x60
    [   67.848600]  rest_init+0xc0/0xcc
    [   67.848603]  arch_call_rest_init+0x14/0x1c
    [   67.848606]  start_kernel+0x4cc/0x500
    [   67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)
    [   67.848613] ---[ end trace 585a97036f88203a ]---
    
    Signed-off-by: Shawn.Shao <shawn.shao@jaguarmicro.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20230112055802.1764-1-shawn.shao@jaguarmicro.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ALSA: hda/realtek - Turn on power early [+ + +]
Author: Yuchi Yang <yangyuchi66@gmail.com>
Date:   Fri Dec 30 15:22:25 2022 +0800

    ALSA: hda/realtek - Turn on power early
    
    [ Upstream commit 1f680609bf1beac20e2a31ddcb1b88874123c39f ]
    
    Turn on power early to avoid wrong state for power relation register.
    This can earlier update JD state when resume back.
    
    Signed-off-by: Yuchi Yang <yangyuchi66@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/e35d8f4fa18f4448a2315cc7d4a3715f@realtek.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
btrfs: fix race between quota rescan and disable leading to NULL pointer deref [+ + +]
Author: Filipe Manana <fdmanana@suse.com>
Date:   Thu Jan 12 16:31:08 2023 +0000

    btrfs: fix race between quota rescan and disable leading to NULL pointer deref
    
    commit b7adbf9ada3513d2092362c8eac5cddc5b651f5c upstream.
    
    If we have one task trying to start the quota rescan worker while another
    one is trying to disable quotas, we can end up hitting a race that results
    in the quota rescan worker doing a NULL pointer dereference. The steps for
    this are the following:
    
    1) Quotas are enabled;
    
    2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().
       It calls qgroup_rescan_init() which returns 0 (success) and then joins a
       transaction and commits it;
    
    3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().
       It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls
       btrfs_qgroup_wait_for_completion(), which returns immediately since the
       rescan worker is not yet running.
       Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;
    
    4) Task A queues the rescan worker, by calling btrfs_queue_work();
    
    5) The rescan worker starts, and calls rescan_should_stop() at the start
       of its while loop, which results in 0 iterations of the loop, since
       the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by
       task B at step 3);
    
    6) Task B sets fs_info->quota_root to NULL;
    
    7) The rescan worker tries to start a transaction and uses
       fs_info->quota_root as the root argument for btrfs_start_transaction().
       This results in a NULL pointer dereference down the call chain of
       btrfs_start_transaction(). The stack trace is something like the one
       reported in Link tag below:
    
       general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN
       KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]
       CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0
       Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
       Workqueue: btrfs-qgroup-rescan btrfs_work_helper
       RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564
       Code: 48 89 fb 48 (...)
       RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206
       RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80
       RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
       RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d
       R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000
       R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003
       FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       Call Trace:
        <TASK>
        btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402
        btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280
        process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
        worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
        kthread+0x266/0x300 kernel/kthread.c:376
        ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
        </TASK>
       Modules linked in:
    
    So fix this by having the rescan worker function not attempt to start a
    transaction if it didn't do any rescan work.
    
    Reported-by: syzbot+96977faa68092ad382c4@syzkaller.appspotmail.com
    Link: https://lore.kernel.org/linux-btrfs/000000000000e5454b05f065a803@google.com/
    Fixes: e804861bd4e6 ("btrfs: fix deadlock between quota disable and qgroup rescan worker")
    CC: stable@vger.kernel.org # 5.4+
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
cifs: do not include page data when checking signature [+ + +]
Author: Enzo Matsumiya <ematsumiya@suse.de>
Date:   Wed Jan 18 14:06:57 2023 -0300

    cifs: do not include page data when checking signature
    
    commit 30b2b2196d6e4cc24cbec633535a2404f258ce69 upstream.
    
    On async reads, page data is allocated before sending.  When the
    response is received but it has no data to fill (e.g.
    STATUS_END_OF_FILE), __calc_signature() will still include the pages in
    its computation, leading to an invalid signature check.
    
    This patch fixes this by not setting the async read smb_rqst page data
    (zeroed by default) if its got_bytes is 0.
    
    This can be reproduced/verified with xfstests generic/465.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
    Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
comedi: adv_pci1760: Fix PWM instruction handling [+ + +]
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Jan 3 14:37:54 2023 +0000

    comedi: adv_pci1760: Fix PWM instruction handling
    
    commit 2efb6edd52dc50273f5e68ad863dd1b1fb2f2d1c upstream.
    
    (Actually, this is fixing the "Read the Current Status" command sent to
    the device's outgoing mailbox, but it is only currently used for the PWM
    instructions.)
    
    The PCI-1760 is operated mostly by sending commands to a set of Outgoing
    Mailbox registers, waiting for the command to complete, and reading the
    result from the Incoming Mailbox registers.  One of these commands is
    the "Read the Current Status" command.  The number of this command is
    0x07 (see the User's Manual for the PCI-1760 at
    <https://advdownload.advantech.com/productfile/Downloadfile2/1-11P6653/PCI-1760.pdf>.
    The `PCI1760_CMD_GET_STATUS` macro defined in the driver should expand
    to this command number 0x07, but unfortunately it currently expands to
    0x03.  (Command number 0x03 is not defined in the User's Manual.)
    Correct the definition of the `PCI1760_CMD_GET_STATUS` macro to fix it.
    
    This is used by all the PWM subdevice related instructions handled by
    `pci1760_pwm_insn_config()` which are probably all broken.  The effect
    of sending the undefined command number 0x03 is not known.
    
    Fixes: 14b93bb6bbf0 ("staging: comedi: adv_pci_dio: separate out PCI-1760 support")
    Cc: <stable@vger.kernel.org> # v4.5+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20230103143754.17564-1-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
dmaengine: tegra210-adma: fix global intr clear [+ + +]
Author: Mohan Kumar <mkumard@nvidia.com>
Date:   Mon Jan 2 12:18:44 2023 +0530

    dmaengine: tegra210-adma: fix global intr clear
    
    commit 9c7e355ccbb33d239360c876dbe49ad5ade65b47 upstream.
    
    The current global interrupt clear programming register offset
    was not correct. Fix the programming with right offset
    
    Fixes: ded1f3db4cd6 ("dmaengine: tegra210-adma: prepare for supporting newer Tegra chips")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mohan Kumar <mkumard@nvidia.com>
    Link: https://lore.kernel.org/r/20230102064844.31306-1-mkumard@nvidia.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/amd/display: Fix COLOR_SPACE_YCBCR2020_TYPE matrix [+ + +]
Author: Joshua Ashton <joshua@froggi.es>
Date:   Tue Jan 10 22:50:42 2023 +0000

    drm/amd/display: Fix COLOR_SPACE_YCBCR2020_TYPE matrix
    
    commit 973a9c810c785ac270a6d50d8cf862b0c1643a10 upstream.
    
    The YCC conversion matrix for RGB -> COLOR_SPACE_YCBCR2020_TYPE is
    missing the values for the fourth column of the matrix.
    
    The fourth column of the matrix is essentially just a value that is
    added given that the color is 3 components in size.
    These values are needed to bias the chroma from the [-1, 1] -> [0, 1]
    range.
    
    This fixes color being very green when using Gamescope HDR on HDMI
    output which prefers YCC 4:4:4.
    
    Fixes: 40df2f809e8f ("drm/amd/display: color space ycbcr709 support")
    Reviewed-by: Melissa Wen <mwen@igalia.com>
    Signed-off-by: Joshua Ashton <joshua@froggi.es>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/amd/display: Fix set scaling doesn's work [+ + +]
Author: hongao <hongao@uniontech.com>
Date:   Tue Nov 22 19:20:34 2022 +0800

    drm/amd/display: Fix set scaling doesn's work
    
    commit 040625ab82ce6dca7772cb3867fe5c9eb279a344 upstream.
    
    [Why]
    Setting scaling does not correctly update CRTC state. As a result
    dc stream state's src (composition area) && dest (addressable area)
    was not calculated as expected. This causes set scaling doesn's work.
    
    [How]
    Correctly update CRTC state when setting scaling property.
    
    Reviewed-by: Harry Wentland <harry.wentland@amd.com>
    Tested-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
    Signed-off-by: hongao <hongao@uniontech.com>
    Signed-off-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/i915/gt: Reset twice [+ + +]
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Mon Dec 12 17:13:38 2022 +0100

    drm/i915/gt: Reset twice
    
    [ Upstream commit d3de5616d36462a646f5b360ba82d3b09ff668eb ]
    
    After applying an engine reset, on some platforms like Jasperlake, we
    occasionally detect that the engine state is not cleared until shortly
    after the resume. As we try to resume the engine with volatile internal
    state, the first request fails with a spurious CS event (it looks like
    it reports a lite-restore to the hung context, instead of the expected
    idle->active context switch).
    
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
    Cc: stable@vger.kernel.org
    Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
    Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
    Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20221212161338.1007659-1-andi.shyti@linux.intel.com
    (cherry picked from commit 3db9d590557da3aa2c952f2fecd3e9b703dad790)
    Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/i915: re-disable RC6p on Sandy Bridge [+ + +]
Author: Sasa Dragic <sasa.dragic@gmail.com>
Date:   Mon Dec 19 18:29:27 2022 +0100

    drm/i915: re-disable RC6p on Sandy Bridge
    
    commit 67b0b4ed259e425b7eed09da75b42c80682ca003 upstream.
    
    RC6p on Sandy Bridge got re-enabled over time, causing visual glitches
    and GPU hangs.
    
    Disabled originally in commit 1c8ecf80fdee ("drm/i915: do not enable
    RC6p on Sandy Bridge").
    
    Signed-off-by: Sasa Dragic <sasa.dragic@gmail.com>
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20221219172927.9603-2-sasa.dragic@gmail.com
    Fixes: fb6db0f5bf1d ("drm/i915: Remove unsafe i915.enable_rc6")
    Fixes: 13c5a577b342 ("drm/i915/gt: Select the deepest available parking mode for rc6")
    Cc: stable@vger.kernel.org
    Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
    (cherry picked from commit 0c8a6e9ea232c221976a0670256bd861408d9917)
    Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
dt-bindings: phy: g12a-usb3-pcie-phy: fix compatible string documentation [+ + +]
Author: Heiner Kallweit <hkallweit1@gmail.com>
Date:   Mon Jan 16 21:19:03 2023 +0100

    dt-bindings: phy: g12a-usb3-pcie-phy: fix compatible string documentation
    
    commit e181119046a0ec16126b682163040e8e33f310c1 upstream.
    
    The compatible string in the driver doesn't have the meson prefix.
    Fix this in the documentation and rename the file accordingly.
    
    Fixes: 87a55485f2fc ("dt-bindings: phy: meson-g12a-usb3-pcie-phy: convert to yaml")
    Cc: stable@vger.kernel.org
    Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
    Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/r/0a82be92-ce85-da34-9d6f-4b33034473e5@gmail.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
efi: fix userspace infinite retry read efivars after EFI runtime services page fault [+ + +]
Author: Ding Hui <dinghui@sangfor.com.cn>
Date:   Tue Dec 27 23:09:36 2022 +0800

    efi: fix userspace infinite retry read efivars after EFI runtime services page fault
    
    [ Upstream commit e006ac3003080177cf0b673441a4241f77aaecce ]
    
    After [1][2], if we catch exceptions due to EFI runtime service, we will
    clear EFI_RUNTIME_SERVICES bit to disable EFI runtime service, then the
    subsequent routine which invoke the EFI runtime service should fail.
    
    But the userspace cat efivars through /sys/firmware/efi/efivars/ will stuck
    and infinite loop calling read() due to efivarfs_file_read() return -EINTR.
    
    The -EINTR is converted from EFI_ABORTED by efi_status_to_err(), and is
    an improper return value in this situation, so let virt_efi_xxx() return
    EFI_DEVICE_ERROR and converted to -EIO to invoker.
    
    Cc: <stable@vger.kernel.org>
    Fixes: 3425d934fc03 ("efi/x86: Handle page faults occurring while running EFI runtime services")
    Fixes: 23715a26c8d8 ("arm64: efi: Recover from synchronous exceptions occurring in firmware")
    Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
    Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
f2fs: let's avoid panic if extent_tree is not created [+ + +]
Author: Jaegeuk Kim <jaegeuk@kernel.org>
Date:   Wed Dec 21 16:14:10 2022 -0800

    f2fs: let's avoid panic if extent_tree is not created
    
    [ Upstream commit df9d44b645b83fffccfb4e28c1f93376585fdec8 ]
    
    This patch avoids the below panic.
    
    pc : __lookup_extent_tree+0xd8/0x760
    lr : f2fs_do_write_data_page+0x104/0x87c
    sp : ffffffc010cbb3c0
    x29: ffffffc010cbb3e0 x28: 0000000000000000
    x27: ffffff8803e7f020 x26: ffffff8803e7ed40
    x25: ffffff8803e7f020 x24: ffffffc010cbb460
    x23: ffffffc010cbb480 x22: 0000000000000000
    x21: 0000000000000000 x20: ffffffff22e90900
    x19: 0000000000000000 x18: ffffffc010c5d080
    x17: 0000000000000000 x16: 0000000000000020
    x15: ffffffdb1acdbb88 x14: ffffff888759e2b0
    x13: 0000000000000000 x12: ffffff802da49000
    x11: 000000000a001200 x10: ffffff8803e7ed40
    x9 : ffffff8023195800 x8 : ffffff802da49078
    x7 : 0000000000000001 x6 : 0000000000000000
    x5 : 0000000000000006 x4 : ffffffc010cbba28
    x3 : 0000000000000000 x2 : ffffffc010cbb480
    x1 : 0000000000000000 x0 : ffffff8803e7ed40
    Call trace:
     __lookup_extent_tree+0xd8/0x760
     f2fs_do_write_data_page+0x104/0x87c
     f2fs_write_single_data_page+0x420/0xb60
     f2fs_write_cache_pages+0x418/0xb1c
     __f2fs_write_data_pages+0x428/0x58c
     f2fs_write_data_pages+0x30/0x40
     do_writepages+0x88/0x190
     __writeback_single_inode+0x48/0x448
     writeback_sb_inodes+0x468/0x9e8
     __writeback_inodes_wb+0xb8/0x2a4
     wb_writeback+0x33c/0x740
     wb_do_writeback+0x2b4/0x400
     wb_workfn+0xe4/0x34c
     process_one_work+0x24c/0x5bc
     worker_thread+0x3e8/0xa50
     kthread+0x150/0x1b4
    
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
gsmi: fix null-deref in gsmi_get_variable [+ + +]
Author: Khazhismel Kumykov <khazhy@chromium.org>
Date:   Tue Jan 17 17:02:12 2023 -0800

    gsmi: fix null-deref in gsmi_get_variable
    
    commit a769b05eeed7accc4019a1ed9799dd72067f1ce8 upstream.
    
    We can get EFI variables without fetching the attribute, so we must
    allow for that in gsmi.
    
    commit 859748255b43 ("efi: pstore: Omit efivars caching EFI varstore
    access layer") added a new get_variable call with attr=NULL, which
    triggers panic in gsmi.
    
    Fixes: 74c5b31c6618 ("driver: Google EFI SMI")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
    Link: https://lore.kernel.org/r/20230118010212.1268474-1-khazhy@google.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 5.4.230 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Jan 24 07:18:01 2023 +0100

    Linux 5.4.230
    
    Link: https://lore.kernel.org/r/20230122150222.210885219@linuxfoundation.org
    Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
    Link: https://lore.kernel.org/r/20230123094907.292995722@linuxfoundation.org
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
misc: fastrpc: Don't remove map on creater_process and device_release [+ + +]
Author: Abel Vesa <abel.vesa@linaro.org>
Date:   Thu Nov 24 17:49:40 2022 +0000

    misc: fastrpc: Don't remove map on creater_process and device_release
    
    commit 5bb96c8f9268e2fdb0e5321cbc358ee5941efc15 upstream.
    
    Do not remove the map from the list on error path in
    fastrpc_init_create_process, instead call fastrpc_map_put, to avoid
    use-after-free. Do not remove it on fastrpc_device_release either,
    call fastrpc_map_put instead.
    
    The fastrpc_free_map is the only proper place to remove the map.
    This is called only after the reference count is 0.
    
    Fixes: b49f6d83e290 ("misc: fastrpc: Fix a possible double free")
    Cc: stable <stable@kernel.org>
    Co-developed-by: Ola Jeppsson <ola@snap.com>
    Signed-off-by: Ola Jeppsson <ola@snap.com>
    Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Link: https://lore.kernel.org/r/20221124174941.418450-3-srinivas.kandagatla@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

misc: fastrpc: Fix use-after-free race condition for maps [+ + +]
Author: Ola Jeppsson <ola@snap.com>
Date:   Thu Nov 24 17:49:41 2022 +0000

    misc: fastrpc: Fix use-after-free race condition for maps
    
    commit 96b328d119eca7563c1edcc4e1039a62e6370ecb upstream.
    
    It is possible that in between calling fastrpc_map_get() until
    map->fl->lock is taken in fastrpc_free_map(), another thread can call
    fastrpc_map_lookup() and get a reference to a map that is about to be
    deleted.
    
    Rewrite fastrpc_map_get() to only increase the reference count of a map
    if it's non-zero. Propagate this to callers so they can know if a map is
    about to be deleted.
    
    Fixes this warning:
    refcount_t: addition on 0; use-after-free.
    WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate
    ...
    Call trace:
     refcount_warn_saturate
     [fastrpc_map_get inlined]
     [fastrpc_map_lookup inlined]
     fastrpc_map_create
     fastrpc_internal_invoke
     fastrpc_device_ioctl
     __arm64_sys_ioctl
     invoke_syscall
    
    Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Ola Jeppsson <ola@snap.com>
    Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Link: https://lore.kernel.org/r/20221124174941.418450-4-srinivas.kandagatla@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mm/khugepaged: fix collapse_pte_mapped_thp() to allow anon_vma [+ + +]
Author: Hugh Dickins <hughd@google.com>
Date:   Thu Dec 22 12:41:50 2022 -0800

    mm/khugepaged: fix collapse_pte_mapped_thp() to allow anon_vma
    
    commit ab0c3f1251b4670978fde0bd54161795a139b060 upstream.
    
    uprobe_write_opcode() uses collapse_pte_mapped_thp() to restore huge pmd,
    when removing a breakpoint from hugepage text: vma->anon_vma is always set
    in that case, so undo the prohibition.  And MADV_COLLAPSE ought to be able
    to collapse some page tables in a vma which happens to have anon_vma set
    from CoWing elsewhere.
    
    Is anon_vma lock required?  Almost not: if any page other than expected
    subpage of the non-anon huge page is found in the page table, collapse is
    aborted without making any change.  However, it is possible that an anon
    page was CoWed from this extent in another mm or vma, in which case a
    concurrent lookup might look here: so keep it away while clearing pmd (but
    perhaps we shall go back to using pmd_lock() there in future).
    
    Note that collapse_pte_mapped_thp() is exceptional in freeing a page table
    without having cleared its ptes: I'm uneasy about that, and had thought
    pte_clear()ing appropriate; but exclusive i_mmap lock does fix the
    problem, and we would have to move the mmu_notification if clearing those
    ptes.
    
    What this fixes is not a dangerous instability.  But I suggest Cc stable
    because uprobes "healing" has regressed in that way, so this should follow
    8d3c106e19e8 into those stable releases where it was backported (and may
    want adjustment there - I'll supply backports as needed).
    
    Link: https://lkml.kernel.org/r/b740c9fb-edba-92ba-59fb-7a5592e5dfc@google.com
    Fixes: 8d3c106e19e8 ("mm/khugepaged: take the right locks for page table retraction")
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Acked-by: David Hildenbrand <david@redhat.com>
    Cc: Jann Horn <jannh@google.com>
    Cc: Yang Shi <shy828301@gmail.com>
    Cc: Zach O'Keefe <zokeefe@google.com>
    Cc: Song Liu <songliubraving@fb.com>
    Cc: <stable@vger.kernel.org>    [5.4+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mmc: sunxi-mmc: Fix clock refcount imbalance during unbind [+ + +]
Author: Samuel Holland <samuel@sholland.org>
Date:   Tue Aug 9 21:25:09 2022 -0500

    mmc: sunxi-mmc: Fix clock refcount imbalance during unbind
    
    commit 8509419758f2cc28dd05370385af0d91573b76b4 upstream.
    
    If the controller is suspended by runtime PM, the clock is already
    disabled, so do not try to disable it again during removal. Use
    pm_runtime_disable() to flush any pending runtime PM transitions.
    
    Fixes: 9a8e1e8cc2c0 ("mmc: sunxi: Add runtime_pm support")
    Signed-off-by: Samuel Holland <samuel@sholland.org>
    Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20220810022509.43743-1-samuel@sholland.org
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats [+ + +]
Author: Daniil Tatianin <d-tatianin@yandex-team.ru>
Date:   Mon Dec 26 14:48:23 2022 +0300

    net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
    
    [ Upstream commit 9deb1e9fb88b1120a908676fa33bdf9e2eeaefce ]
    
    It's not very useful to copy back an empty ethtool_stats struct and
    return 0 if we didn't actually have any stats. This also allows for
    further simplification of this function in the future commits.
    
    Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nilfs2: fix general protection fault in nilfs_btree_insert() [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Thu Jan 5 14:53:56 2023 +0900

    nilfs2: fix general protection fault in nilfs_btree_insert()
    
    commit 7633355e5c7f29c049a9048e461427d1d8ed3051 upstream.
    
    If nilfs2 reads a corrupted disk image and tries to reads a b-tree node
    block by calling __nilfs_btree_get_block() against an invalid virtual
    block address, it returns -ENOENT because conversion of the virtual block
    address to a disk block address fails.  However, this return value is the
    same as the internal code that b-tree lookup routines return to indicate
    that the block being searched does not exist, so functions that operate on
    that b-tree may misbehave.
    
    When nilfs_btree_insert() receives this spurious 'not found' code from
    nilfs_btree_do_lookup(), it misunderstands that the 'not found' check was
    successful and continues the insert operation using incomplete lookup path
    data, causing the following crash:
    
     general protection fault, probably for non-canonical address
     0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
     KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
     ...
     RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]
     RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]
     RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238
     Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89
     ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c
     28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02
     ...
     Call Trace:
     <TASK>
      nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]
      nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147
      nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101
      __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991
      __block_write_begin fs/buffer.c:2041 [inline]
      block_write_begin+0x93/0x1e0 fs/buffer.c:2102
      nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261
      generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772
      __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900
      generic_file_write_iter+0xab/0x310 mm/filemap.c:3932
      call_write_iter include/linux/fs.h:2186 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x7dc/0xc50 fs/read_write.c:584
      ksys_write+0x177/0x2a0 fs/read_write.c:637
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
     ...
     </TASK>
    
    This patch fixes the root cause of this problem by replacing the error
    code that __nilfs_btree_get_block() returns on block address conversion
    failure from -ENOENT to another internal code -EINVAL which means that the
    b-tree metadata is corrupted.
    
    By returning -EINVAL, it propagates without glitches, and for all relevant
    b-tree operations, functions in the upper bmap layer output an error
    message indicating corrupted b-tree metadata via
    nilfs_bmap_convert_error(), and code -EIO will be eventually returned as
    it should be.
    
    Link: https://lkml.kernel.org/r/000000000000bd89e205f0e38355@google.com
    Link: https://lkml.kernel.org/r/20230105055356.8811-1-konishi.ryusuke@gmail.com
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+ede796cecd5296353515@syzkaller.appspotmail.com
    Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
pNFS/filelayout: Fix coalescing test for single DS [+ + +]
Author: Olga Kornievskaia <olga.kornievskaia@gmail.com>
Date:   Tue Dec 20 12:31:29 2022 -0500

    pNFS/filelayout: Fix coalescing test for single DS
    
    [ Upstream commit a6b9d2fa0024e7e399c26facd0fb466b7396e2b9 ]
    
    When there is a single DS no striping constraints need to be placed on
    the IO. When such constraint is applied then buffered reads don't
    coalesce to the DS's rsize.
    
    Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
 
prlimit: do_prlimit needs to have a speculation check [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Jan 20 11:03:20 2023 +0100

    prlimit: do_prlimit needs to have a speculation check
    
    commit 739790605705ddcf18f21782b9c99ad7d53a8c11 upstream.
    
    do_prlimit() adds the user-controlled resource value to a pointer that
    will subsequently be dereferenced.  In order to help prevent this
    codepath from being used as a spectre "gadget" a barrier needs to be
    added after checking the range.
    
    Reported-by: Jordy Zomer <jordyzomer@google.com>
    Tested-by: Jordy Zomer <jordyzomer@google.com>
    Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
RDMA/srp: Move large values to a new enum for gcc13 [+ + +]
Author: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Date:   Mon Dec 12 13:04:11 2022 +0100

    RDMA/srp: Move large values to a new enum for gcc13
    
    [ Upstream commit 56c5dab20a6391604df9521f812c01d1e3fe1bd0 ]
    
    Since gcc13, each member of an enum has the same type as the enum [1]. And
    that is inherited from its members. Provided these two:
      SRP_TAG_NO_REQ        = ~0U,
      SRP_TAG_TSK_MGMT      = 1U << 31
    all other members are unsigned ints.
    
    Esp. with SRP_MAX_SGE and SRP_TSK_MGMT_SQ_SIZE and their use in min(),
    this results in the following warnings:
      include/linux/minmax.h:20:35: error: comparison of distinct pointer types lacks a cast
      drivers/infiniband/ulp/srp/ib_srp.c:563:42: note: in expansion of macro 'min'
    
      include/linux/minmax.h:20:35: error: comparison of distinct pointer types lacks a cast
      drivers/infiniband/ulp/srp/ib_srp.c:2369:27: note: in expansion of macro 'min'
    
    So move the large values away to a separate enum, so that they don't
    affect other members.
    
    [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=36113
    
    Link: https://lore.kernel.org/r/20221212120411.13750-1-jirislaby@kernel.org
    Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
    Reviewed-by: Bart Van Assche <bvanassche@acm.org>
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID [+ + +]
Author: Hao Sun <sunhao.th@gmail.com>
Date:   Thu Dec 22 10:44:14 2022 +0800

    selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID
    
    [ Upstream commit cedebd74cf3883f0384af9ec26b4e6f8f1964dd4 ]
    
    Verify that nullness information is not porpagated in the branches
    of register to register JEQ and JNE operations if one of them is
    PTR_TO_BTF_ID. Implement this in C level so we can use CO-RE.
    
    Signed-off-by: Hao Sun <sunhao.th@gmail.com>
    Suggested-by: Martin KaFai Lau <martin.lau@kernel.org>
    Link: https://lore.kernel.org/r/20221222024414.29539-2-sunhao.th@gmail.com
    Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
serial: atmel: fix incorrect baudrate setup [+ + +]
Author: Tobias Schramm <t.schramm@manjaro.org>
Date:   Mon Jan 9 08:29:40 2023 +0100

    serial: atmel: fix incorrect baudrate setup
    
    commit 5bfdd3c654bd879bff50c2e85e42f85ae698b42f upstream.
    
    Commit ba47f97a18f2 ("serial: core: remove baud_rates when serial console
    setup") changed uart_set_options to select the correct baudrate
    configuration based on the absolute error between requested baudrate and
    available standard baudrate settings.
    Prior to that commit the baudrate was selected based on which predefined
    standard baudrate did not exceed the requested baudrate.
    This change of selection logic was never reflected in the atmel serial
    driver. Thus the comment left in the atmel serial driver is no longer
    accurate.
    Additionally the manual rounding up described in that comment and applied
    via (quot - 1) requests an incorrect baudrate. Since uart_set_options uses
    tty_termios_encode_baud_rate to determine the appropriate baudrate flags
    this can cause baudrate selection to fail entirely because
    tty_termios_encode_baud_rate will only select a baudrate if relative error
    between requested and selected baudrate does not exceed +/-2%.
    Fix that by requesting actual, exact baudrate used by the serial.
    
    Fixes: ba47f97a18f2 ("serial: core: remove baud_rates when serial console setup")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Tobias Schramm <t.schramm@manjaro.org>
    Acked-by: Richard Genoud <richard.genoud@gmail.com>
    Link: https://lore.kernel.org/r/20230109072940.202936-1-t.schramm@manjaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

serial: pch_uart: Pass correct sg to dma_unmap_sg() [+ + +]
Author: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Date:   Tue Jan 3 11:34:35 2023 +0200

    serial: pch_uart: Pass correct sg to dma_unmap_sg()
    
    commit e8914b52e5b024e4af3d810a935fe0805eee8a36 upstream.
    
    A local variable sg is used to store scatterlist pointer in
    pch_dma_tx_complete(). The for loop doing Tx byte accounting before
    dma_unmap_sg() alters sg in its increment statement. Therefore, the
    pointer passed into dma_unmap_sg() won't match to the one given to
    dma_map_sg().
    
    To fix the problem, use priv->sg_tx_p directly in dma_unmap_sg()
    instead of the local variable.
    
    Fixes: da3564ee027e ("pch_uart: add multi-scatter processing")
    Cc: stable@vger.kernel.org
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Link: https://lore.kernel.org/r/20230103093435.4396-1-ilpo.jarvinen@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 [+ + +]
Author: Juhyung Park <qkrwngud825@gmail.com>
Date:   Tue Jan 17 17:51:54 2023 +0900

    usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210
    
    commit dbd24ec17b85b45f4e823d1aa5607721920f2b05 upstream.
    
    The commit e00b488e813f ("usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS")
    blacklists UAS for all of RTL9210 enclosures.
    
    The RTL9210 controller was advertised with UAS since its release back in
    2019 and was shipped with a lot of enclosure products with different
    firmware combinations.
    
    Blacklist UAS only for HIKSEMI MD202.
    
    This should hopefully be replaced with more robust method than just
    comparing strings.  But with limited information [1] provided thus far
    (dmesg when the device is plugged in, which includes manufacturer and
    product, but no lsusb -v to compare against), this is the best we can do
    for now.
    
    [1] https://lore.kernel.org/all/20230109115550.71688-1-qkrwngud825@gmail.com
    
    Fixes: e00b488e813f ("usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS")
    Cc: Alan Stern <stern@rowland.harvard.edu>
    Cc: Hongling Zeng <zenghongling@kylinos.cn>
    Cc: stable@vger.kernel.org
    Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
    Acked-by: Oliver Neukum <oneukum@suse.com>
    Link: https://lore.kernel.org/r/20230117085154.123301-1-qkrwngud825@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: acpi: add helper to check port lpm capability using acpi _DSM [+ + +]
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Mon Jan 16 16:22:15 2023 +0200

    usb: acpi: add helper to check port lpm capability using acpi _DSM
    
    commit cd702d18c882d5a4ea44bbdb38edd5d5577ef640 upstream.
    
    Add a helper to evaluate ACPI usb device specific method (_DSM) provided
    in case the USB3 port shouldn't enter U1 and U2 link states.
    
    This _DSM was added as port specific retimer configuration may lead to
    exit latencies growing beyond U1/U2 exit limits, and OS needs a way to
    find which ports can't support U1/U2 link power management states.
    
    This _DSM is also used by windows:
    Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/usb-device-specific-method---dsm-
    
    Some patch issues found in testing resolved by Ron Lee
    
    Cc: stable@vger.kernel.org
    Tested-by: Ron Lee <ron.lee@intel.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20230116142216.1141605-7-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: core: hub: disable autosuspend for TI TUSB8041 [+ + +]
Author: Flavio Suligoi <f.suligoi@asem.it>
Date:   Mon Dec 19 13:47:59 2022 +0100

    usb: core: hub: disable autosuspend for TI TUSB8041
    
    commit 7171b0e261b17de96490adf053b8bb4b00061bcf upstream.
    
    The Texas Instruments TUSB8041 has an autosuspend problem at high
    temperature.
    
    If there is not USB traffic, after a couple of ms, the device enters in
    autosuspend mode. In this condition the external clock stops working, to
    save energy. When the USB activity turns on, ther hub exits the
    autosuspend state, the clock starts running again and all works fine.
    
    At ambient temperature all works correctly, but at high temperature,
    when the USB activity turns on, the external clock doesn't restart and
    the hub disappears from the USB bus.
    
    Disabling the autosuspend mode for this hub solves the issue.
    
    Signed-off-by: Flavio Suligoi <f.suligoi@asem.it>
    Cc: stable <stable@kernel.org>
    Acked-by: Alan Stern <stern@rowland.harvard.edu>
    Link: https://lore.kernel.org/r/20221219124759.3207032-1-f.suligoi@asem.it
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() [+ + +]
Author: Maciej Żenczykowski <maze@google.com>
Date:   Tue Jan 17 05:18:39 2023 -0800

    usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()
    
    commit c6ec929595c7443250b2a4faea988c62019d5cd2 upstream.
    
    In Google internal bug 265639009 we've received an (as yet) unreproducible
    crash report from an aarch64 GKI 5.10.149-android13 running device.
    
    AFAICT the source code is at:
      https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10
    
    The call stack is:
      ncm_close() -> ncm_notify() -> ncm_do_notify()
    with the crash at:
      ncm_do_notify+0x98/0x270
    Code: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)
    
    Which I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):
    
      // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)
      0B 0D 00 79    strh w11, [x8, #6]
    
      // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)
      6C 0A 00 B9    str  w12, [x19, #8]
    
      // x10 (NULL) was read here from offset 0 of valid pointer x9
      // IMHO we're reading 'cdev->gadget' and getting NULL
      // gadget is indeed at offset 0 of struct usb_composite_dev
      2A 01 40 F9    ldr  x10, [x9]
    
      // loading req->buf pointer, which is at offset 0 of struct usb_request
      69 02 40 F9    ldr  x9, [x19]
    
      // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed
      4B 5D 40 B9    ldr  w11, [x10, #0x5c]
    
    which seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:
    
      event->wLength = cpu_to_le16(8);
      req->length = NCM_STATUS_BYTECOUNT;
    
      /* SPEED_CHANGE data is up/down speeds in bits/sec */
      data = req->buf + sizeof *event;
      data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
    
    My analysis of registers and NULL ptr deref crash offset
      (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)
    heavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:
      data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
    which calls:
      ncm_bitrate(NULL)
    which then calls:
      gadget_is_superspeed(NULL)
    which reads
      ((struct usb_gadget *)NULL)->max_speed
    and hits a panic.
    
    AFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.
    (remember there's a GKI KABI reservation of 16 bytes in struct work_struct)
    
    It's not at all clear to me how this is all supposed to work...
    but returning 0 seems much better than panic-ing...
    
    Cc: Felipe Balbi <balbi@kernel.org>
    Cc: Lorenzo Colitti <lorenzo@google.com>
    Cc: Carlos Llamas <cmllamas@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Maciej Żenczykowski <maze@google.com>
    Cc: stable <stable@kernel.org>
    Link: https://lore.kernel.org/r/20230117131839.1138208-1-maze@google.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: gadget: g_webcam: Send color matching descriptor per frame [+ + +]
Author: Daniel Scally <dan.scally@ideasonboard.com>
Date:   Fri Dec 16 16:05:28 2022 +0000

    usb: gadget: g_webcam: Send color matching descriptor per frame
    
    commit e95765e97d9cb93258a4840440d410fa6ff7e819 upstream.
    
    Currently the color matching descriptor is only sent across the wire
    a single time, following the descriptors for each format and frame.
    According to the UVC 1.5 Specification 3.9.2.6 ("Color Matching
    Descriptors"):
    
    "Only one instance is allowed for a given format and if present,
    the Color Matching descriptor shall be placed following the Video
    and Still Image Frame descriptors for that format".
    
    Add another reference to the color matching descriptor after the
    yuyv frames so that it's correctly transmitted for that format
    too.
    
    Fixes: a9914127e834 ("USB gadget: Webcam device")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Daniel Scally <dan.scally@ideasonboard.com>
    Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
    Link: https://lore.kernel.org/r/20221216160528.479094-1-dan.scally@ideasonboard.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
USB: gadgetfs: Fix race between mounting and unmounting [+ + +]
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Fri Dec 23 09:59:09 2022 -0500

    USB: gadgetfs: Fix race between mounting and unmounting
    
    commit d18dcfe9860e842f394e37ba01ca9440ab2178f4 upstream.
    
    The syzbot fuzzer and Gerald Lee have identified a use-after-free bug
    in the gadgetfs driver, involving processes concurrently mounting and
    unmounting the gadgetfs filesystem.  In particular, gadgetfs_fill_super()
    can race with gadgetfs_kill_sb(), causing the latter to deallocate
    the_device while the former is using it.  The output from KASAN says,
    in part:
    
    BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
    BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
    BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
    BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
    BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
    BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
    BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
    Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689
    
    CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
    Call Trace:
     <TASK>
    ...
     atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
     __refcount_sub_and_test include/linux/refcount.h:272 [inline]
     __refcount_dec_and_test include/linux/refcount.h:315 [inline]
     refcount_dec_and_test include/linux/refcount.h:333 [inline]
     put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
     gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
     deactivate_locked_super+0xa7/0xf0 fs/super.c:332
     vfs_get_super fs/super.c:1190 [inline]
     get_tree_single+0xd0/0x160 fs/super.c:1207
     vfs_get_tree+0x88/0x270 fs/super.c:1531
     vfs_fsconfig_locked fs/fsopen.c:232 [inline]
    
    The simplest solution is to ensure that gadgetfs_fill_super() and
    gadgetfs_kill_sb() are serialized by making them both acquire a new
    mutex.
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Reported-and-tested-by: syzbot+33d7ad66d65044b93f16@syzkaller.appspotmail.com
    Reported-and-tested-by: Gerald Lee <sundaywind2004@gmail.com>
    Link: https://lore.kernel.org/linux-usb/CAO3qeMVzXDP-JU6v1u5Ags6Q-bb35kg3=C6d04DjzA9ffa5x1g@mail.gmail.com/
    Fixes: e5d82a7360d1 ("vfs: Convert gadgetfs to use the new mount API")
    CC: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/Y6XCPXBpn3tmjdCC@rowland.harvard.edu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: host: ehci-fsl: Fix module alias [+ + +]
Author: Alexander Stein <alexander.stein@ew.tq-group.com>
Date:   Fri Jan 20 13:27:14 2023 +0100

    usb: host: ehci-fsl: Fix module alias
    
    commit 5d3d01ae15d2f37ed0325c99ab47ef0ae5d05f3c upstream.
    
    Commit ca07e1c1e4a6 ("drivers:usb:fsl:Make fsl ehci drv an independent
    driver module") changed DRV_NAME which was used for MODULE_ALIAS as well.
    Starting from this the module alias didn't match the platform device
    name created in fsl-mph-dr-of.c
    Change DRV_NAME to match the driver name for host mode in fsl-mph-dr-of.
    This is needed for module autoloading on ls1021a.
    
    Fixes: ca07e1c1e4a6 ("drivers:usb:fsl:Make fsl ehci drv an independent driver module")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
    Link: https://lore.kernel.org/r/20230120122714.3848784-1-alexander.stein@ew.tq-group.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Jan 20 14:53:30 2023 +0100

    USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100
    
    commit 14ff7460bb58662d86aa50298943cc7d25532e28 upstream.
    
    The USB_DEVICE_ID_CODEMERCS_IOW100 header size was incorrect, it should
    be 12, not 13.
    
    Cc: stable <stable@kernel.org>
    Fixes: 17a82716587e ("USB: iowarrior: fix up report size handling for some devices")
    Reported-by: Christoph Jung <jung@codemercs.com>
    Link: https://lore.kernel.org/r/20230120135330.3842518-1-gregkh@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: cp210x: add SCALANCE LPE-9000 device id [+ + +]
Author: Michael Adler <michael.adler@siemens.com>
Date:   Tue Jan 3 14:48:50 2023 +0100

    USB: serial: cp210x: add SCALANCE LPE-9000 device id
    
    commit 3f9e76e31704a325170e5aec2243c8d084d74854 upstream.
    
    Add the USB serial console device ID for Siemens SCALANCE LPE-9000
    which have a USB port for their serial console.
    
    Signed-off-by: Michael Adler <michael.adler@siemens.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Quectel EC200U modem [+ + +]
Author: Ali Mirghasemi <ali.mirghasemi1376@gmail.com>
Date:   Wed Dec 28 15:08:47 2022 +0330

    USB: serial: option: add Quectel EC200U modem
    
    commit d9bbb15881046bd76f8710c76e26a740eee997ef upstream.
    
    Add support for EC200U modem
    
    0x0901: EC200U - AT + AP + CP + NMEA + DIAG + MOS
    
    usb-device output:
    T: Bus=01 Lev=02 Prnt=02 Port=02 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
    D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
    P: Vendor=2c7c ProdID=0901 Rev= 3.18
    S: Manufacturer=Android
    S: Product=Android
    C:* #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=400mA
    A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=06 Prot=00
    I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether
    E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
    I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
    I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
    E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E: Ad=83(I) Atr=03(Int.) MxPS= 512 Ivl=4096ms
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 7 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E: Ad=89(I) Atr=03(Int.) MxPS= 512 Ivl=4096ms
    I:* If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Ali Mirghasemi <ali.mirghasemi1376@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Quectel EM05-G (CS) modem [+ + +]
Author: Duke Xin(辛安文) <duke_xinanwen@163.com>
Date:   Tue Dec 27 01:28:25 2022 -0800

    USB: serial: option: add Quectel EM05-G (CS) modem
    
    commit bb78654b0b46316dac687fd4b7dc7cce636f46cd upstream.
    
    The EM05-G (CS) modem has 2 USB configurations that are configurable via
    the AT command AT+QCFG="usbnet",[ 0 | 2 ] which make the modem enumerate
    with the following interfaces, respectively:
    
    "RMNET" : AT + DIAG + NMEA + Modem + QMI
    "MBIM"  : MBIM + AT + DIAG + NMEA + Modem
    
    The detailed description of the USB configuration for each mode as follows:
    
    RMNET Mode
    --------------
    T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 21 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=030C Rev= 3.18
    S:  Manufacturer=Quectel
    S:  Product=Quectel EM05-G
    C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    MBIM Mode
    --------------
    T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=030C Rev= 3.18
    S:  Manufacturer=Quectel
    S:  Product=Quectel EM05-G
    C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
    A:  FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Duke Xin(辛安文) <duke_xinanwen@163.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Quectel EM05-G (GR) modem [+ + +]
Author: Duke Xin(辛安文) <duke_xinanwen@163.com>
Date:   Tue Dec 27 01:44:30 2022 -0800

    USB: serial: option: add Quectel EM05-G (GR) modem
    
    commit 6c331f32e32ac71eb3e8b93fceda2802d7ecb889 upstream.
    
    The EM05-G (GR) modem has 2 USB configurations that are configurable via
    the AT command AT+QCFG="usbnet",[ 0 | 2 ] which make the modem enumerate
    with the following interfaces, respectively:
    
    "RMNET" : AT + DIAG + NMEA + Modem + QMI
    "MBIM"  : MBIM + AT + DIAG + NMEA + Modem
    
    The detailed description of the USB configuration for each mode as follows:
    
    RMNET Mode
    --------------
    T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 21 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0313 Rev= 3.18
    S:  Manufacturer=Quectel
    S:  Product=Quectel EM05-G
    C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    MBIM Mode
    --------------
    T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0313 Rev= 3.18
    S:  Manufacturer=Quectel
    S:  Product=Quectel EM05-G
    C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
    A:  FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Duke Xin(辛安文) <duke_xinanwen@163.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Quectel EM05-G (RS) modem [+ + +]
Author: Duke Xin(辛安文) <duke_xinanwen@163.com>
Date:   Tue Dec 27 01:51:27 2022 -0800

    USB: serial: option: add Quectel EM05-G (RS) modem
    
    commit b72d13977689f0c717444010e108c4f20658dfee upstream.
    
    The EM05-G (RS) modem has 2 USB configurations that are configurable via
    the AT command AT+QCFG="usbnet",[ 0 | 2 ] which make the modem enumerate
    with the following interfaces, respectively:
    
    "RMNET" : AT + DIAG + NMEA + Modem + QMI
    "MBIM"  : MBIM + AT + DIAG + NMEA + Modem
    
    The detailed description of the USB configuration for each mode as follows:
    
    RMNET Mode
    --------------
    T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 21 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0314 Rev= 3.18
    S:  Manufacturer=Quectel
    S:  Product=Quectel EM05-G
    C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    MBIM Mode
    --------------
    T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0314 Rev= 3.18
    S:  Manufacturer=Quectel
    S:  Product=Quectel EM05-G
    C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
    A:  FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Duke Xin(辛安文) <duke_xinanwen@163.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Quectel EM05CN (SG) modem [+ + +]
Author: Duke Xin(辛安文) <duke_xinanwen@163.com>
Date:   Sun Jan 15 18:07:27 2023 -0800

    USB: serial: option: add Quectel EM05CN (SG) modem
    
    commit 1541dd0097c0f8f470e76eddf5120fc55a7e3101 upstream.
    
    The EM05CN (SG) modem has 2 USB configurations that are configurable via the AT
    command AT+QCFG="usbnet",[ 0 | 2 ] which make the modem enumerate with
    the following interfaces, respectively:
    
    "MBIM"  : AT + MBIM + DIAG + NMEA  + MODEM
    "RMNET" : AT + DIAG + NMEA + Modem + QMI
    
    The detailed description of the USB configuration for each mode as follows:
    
    MBIM Mode
    --------------
    T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0310 Rev= 3.18
    S:  Manufacturer=Quectel
    S:  Product=Quectel EM05-CN
    C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
    A:  FirstIf#= 1 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 2 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    I:* If#= 2 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    RMNET Mode
    --------------
    T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  3 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0310 Rev= 3.18
    S:  Manufacturer=Quectel
    S:  Product=Quectel EM05-CN
    C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Duke Xin(辛安文) <duke_xinanwen@163.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Quectel EM05CN modem [+ + +]
Author: Duke Xin(辛安文) <duke_xinanwen@163.com>
Date:   Sun Jan 15 18:33:28 2023 -0800

    USB: serial: option: add Quectel EM05CN modem
    
    commit 71dfd381a7c051f16a61f82fbd38a4cca563bdca upstream.
    
    The EM05CN modem has 2 USB configurations that are configurable via the AT
    command AT+QCFG="usbnet",[ 0 | 2 ] which make the modem enumerate with
    the following interfaces, respectively:
    
    "MBIM"  : AT + MBIM + DIAG + NMEA  + MODEM
    "RMNET" : AT + DIAG + NMEA + Modem + QMI
    
    The detailed description of the USB configuration for each mode as follows:
    
    MBIM Mode
    --------------
    T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0312 Rev= 3.18
    S:  Manufacturer=Quectel
    S:  Product=Quectel EM05-CN
    C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
    A:  FirstIf#= 1 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 2 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    I:* If#= 2 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    RMNET Mode
    --------------
    T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  3 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0312 Rev= 3.18
    S:  Manufacturer=Quectel
    S:  Product=Quectel EM05-CN
    C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Duke Xin(辛安文) <duke_xinanwen@163.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: typec: altmodes/displayport: Add pin assignment helper [+ + +]
Author: Prashant Malani <pmalani@chromium.org>
Date:   Wed Jan 11 02:05:41 2023 +0000

    usb: typec: altmodes/displayport: Add pin assignment helper
    
    commit 582836e3cfab4faafbdc93bbec96fce036a08ee1 upstream.
    
    The code to extract a peripheral's currently supported Pin Assignments
    is repeated in a couple of locations. Factor it out into a separate
    function.
    
    This will also make it easier to add fixes (we only need to update 1
    location instead of 2).
    
    Fixes: c1e5c2f0cb8a ("usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles")
    Cc: stable@vger.kernel.org
    Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Signed-off-by: Prashant Malani <pmalani@chromium.org>
    Reviewed-by: Benson Leung <bleung@chromium.org>
    Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Link: https://lore.kernel.org/r/20230111020546.3384569-1-pmalani@chromium.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: typec: altmodes/displayport: Fix pin assignment calculation [+ + +]
Author: Prashant Malani <pmalani@chromium.org>
Date:   Wed Jan 11 02:05:42 2023 +0000

    usb: typec: altmodes/displayport: Fix pin assignment calculation
    
    commit 9682b41e52cc9f42f5c33caf410464392adaef04 upstream.
    
    Commit c1e5c2f0cb8a ("usb: typec: altmodes/displayport: correct pin
    assignment for UFP receptacles") fixed the pin assignment calculation
    to take into account whether the peripheral was a plug or a receptacle.
    
    But the "pin_assignments" sysfs logic was not updated. Address this by
    using the macros introduced in the aforementioned commit in the sysfs
    logic too.
    
    Fixes: c1e5c2f0cb8a ("usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles")
    Cc: stable@vger.kernel.org
    Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Signed-off-by: Prashant Malani <pmalani@chromium.org>
    Reviewed-by: Benson Leung <bleung@chromium.org>
    Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Link: https://lore.kernel.org/r/20230111020546.3384569-2-pmalani@chromium.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: xhci: Check endpoint is valid before dereferencing it [+ + +]
Author: Jimmy Hu <hhhuuu@google.com>
Date:   Mon Jan 16 16:22:11 2023 +0200

    usb: xhci: Check endpoint is valid before dereferencing it
    
    commit e8fb5bc76eb86437ab87002d4a36d6da02165654 upstream.
    
    When the host controller is not responding, all URBs queued to all
    endpoints need to be killed. This can cause a kernel panic if we
    dereference an invalid endpoint.
    
    Fix this by using xhci_get_virt_ep() helper to find the endpoint and
    checking if the endpoint is valid before dereferencing it.
    
    [233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead
    [233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8
    
    [233311.853964] pc : xhci_hc_died+0x10c/0x270
    [233311.853971] lr : xhci_hc_died+0x1ac/0x270
    
    [233311.854077] Call trace:
    [233311.854085]  xhci_hc_died+0x10c/0x270
    [233311.854093]  xhci_stop_endpoint_command_watchdog+0x100/0x1a4
    [233311.854105]  call_timer_fn+0x50/0x2d4
    [233311.854112]  expire_timers+0xac/0x2e4
    [233311.854118]  run_timer_softirq+0x300/0xabc
    [233311.854127]  __do_softirq+0x148/0x528
    [233311.854135]  irq_exit+0x194/0x1a8
    [233311.854143]  __handle_domain_irq+0x164/0x1d0
    [233311.854149]  gic_handle_irq.22273+0x10c/0x188
    [233311.854156]  el1_irq+0xfc/0x1a8
    [233311.854175]  lpm_cpuidle_enter+0x25c/0x418 [msm_pm]
    [233311.854185]  cpuidle_enter_state+0x1f0/0x764
    [233311.854194]  do_idle+0x594/0x6ac
    [233311.854201]  cpu_startup_entry+0x7c/0x80
    [233311.854209]  secondary_start_kernel+0x170/0x198
    
    Fixes: 50e8725e7c42 ("xhci: Refactor command watchdog and fix split string.")
    Cc: stable@vger.kernel.org
    Signed-off-by: Jimmy Hu <hhhuuu@google.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Message-ID: <0fe978ed-8269-9774-1c40-f8a98c17e838@linux.intel.com>
    Link: https://lore.kernel.org/r/20230116142216.1141605-3-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices [+ + +]
Author: Arend van Spriel <arend.vanspriel@broadcom.com>
Date:   Wed Jan 11 12:24:19 2023 +0100

    wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices
    
    commit ed05cb177ae5cd7f02f1d6e7706ba627d30f1696 upstream.
    
    A sanity check was introduced considering maximum flowrings above
    256 as insane and effectively aborting the device probe. This
    resulted in regression for number of users as the value turns out
    to be sane after all.
    
    Fixes: 2aca4f3734bd ("brcmfmac: return error when getting invalid max_flowrings from dongle")
    Reported-by: chainofflowers <chainofflowers@posteo.net>
    Link: https://lore.kernel.org/all/4781984.GXAFRqVoOG@luna/
    Reported-by: Christian Marillat <marillat@debian.org>
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=216894
    Cc: stable@vger.kernel.org
    Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/20230111112419.24185-1-arend.vanspriel@broadcom.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN [+ + +]
Author: YingChi Long <me@inclyc.cn>
Date:   Fri Nov 18 08:55:35 2022 +0800

    x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN
    
    commit 55228db2697c09abddcb9487c3d9fa5854a932cd upstream.
    
    WG14 N2350 specifies that it is an undefined behavior to have type
    definitions within offsetof", see
    
      https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2350.htm
    
    This specification is also part of C23.
    
    Therefore, replace the TYPE_ALIGN macro with the _Alignof builtin to
    avoid undefined behavior. (_Alignof itself is C11 and the kernel is
    built with -gnu11).
    
    ISO C11 _Alignof is subtly different from the GNU C extension
    __alignof__. Latter is the preferred alignment and _Alignof the
    minimal alignment. For long long on x86 these are 8 and 4
    respectively.
    
    The macro TYPE_ALIGN's behavior matches _Alignof rather than
    __alignof__.
    
      [ bp: Massage commit message. ]
    
    Signed-off-by: YingChi Long <me@inclyc.cn>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Link: https://lore.kernel.org/r/20220925153151.2467884-1-me@inclyc.cn
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
xhci-pci: set the dma max_seg_size [+ + +]
Author: Ricardo Ribalda <ribalda@chromium.org>
Date:   Mon Jan 16 16:22:10 2023 +0200

    xhci-pci: set the dma max_seg_size
    
    commit 93915a4170e9defd56a767a18e6c4076f3d18609 upstream.
    
    Allow devices to have dma operations beyond 64K, and avoid warnings such
    as:
    
    xhci_hcd 0000:00:14.0: mapping sg segment longer than device claims to support [len=98304] [max=65536]
    
    Cc: stable@vger.kernel.org
    Cc: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20230116142216.1141605-2-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
xhci: Add a flag to disable USB3 lpm on a xhci root port level. [+ + +]
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Mon Jan 16 16:22:14 2023 +0200

    xhci: Add a flag to disable USB3 lpm on a xhci root port level.
    
    commit 0522b9a1653048440da5f21747f21e498b9220d1 upstream.
    
    One USB3 roothub port may support link power management, while another
    root port on the same xHC can't due to different retimers used for
    the ports.
    
    This is the case with Intel Alder Lake, and possible future platforms
    where retimers used for USB4 ports cause too long exit latecy to
    enable native USB3 lpm U1 and U2 states.
    
    Add a flag in the xhci port structure to indicate if the port is
    lpm_incapable, and check it while calculating exit latency.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20230116142216.1141605-6-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xhci: Add update_hub_device override for PCI xHCI hosts [+ + +]
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Mon Jan 16 16:22:13 2023 +0200

    xhci: Add update_hub_device override for PCI xHCI hosts
    
    commit 23a3b8d5a2365653fd9bc5a9454d1e7f4facbf85 upstream.
    
    Allow PCI hosts to check and tune roothub and port settings
    before the hub is up and running.
    
    This override is needed to turn off U1 and U2 LPM for some ports
    based on per port ACPI _DSM, _UPC, or possibly vendor specific mmio
    values for Intel xHC hosts.
    
    Usb core calls the host update_hub_device once it creates a hub.
    
    Entering U1 or U2 link power save state on ports with this limitation
    will cause link to fail, turning the usb device unusable in that setup.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20230116142216.1141605-5-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables [+ + +]
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Mon Jan 16 16:22:16 2023 +0200

    xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables
    
    commit 74622f0a81d0c2bcfc39f9192b788124e8c7f0af upstream.
    
    USB3 ports on xHC hosts may have retimers that cause too long
    exit latency to work with native USB3 U1/U2 link power management states.
    
    For now only use usb_acpi_port_lpm_incapable() to evaluate if port lpm
    should be disabled while setting up the USB3 roothub.
    
    Other ways to identify lpm incapable ports can be added here later if
    ACPI _DSM does not exist.
    
    Limit this to Intel hosts for now, this is to my knowledge only
    an Intel issue.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20230116142216.1141605-8-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xhci: Fix null pointer dereference when host dies [+ + +]
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Mon Jan 16 16:22:12 2023 +0200

    xhci: Fix null pointer dereference when host dies
    
    commit a2bc47c43e70cf904b1af49f76d572326c08bca7 upstream.
    
    Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race
    and cause null pointer dereference when host suddenly dies.
    
    Usb core may call xhci_free_dev() which frees the xhci->devs[slot_id]
    virt device at the same time that xhci_kill_endpoint_urbs() tries to
    loop through all the device's endpoints, checking if there are any
    cancelled urbs left to give back.
    
    hold the xhci spinlock while freeing the virt device
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20230116142216.1141605-4-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>